WarzoneRAT Returns: Avemaria Strikes Back Amid FBI Crackdown

The latest wave of activity appears to be tied to tax-themed spam emails, exploiting unsuspecting victims with cunningly disguised attachments.

by Ashish Khaitan March 28, 2024 in News, Firewall Daily Reading Time: 3 mins read 0

598 SHARES 3.3k VIEWS Share on LinkedInShare on Twitter

WarzoneRAT, the notorious Remote Administration Tool () malware, made a comeback despite the 's efforts to dismantle its operations earlier this year. 

After seizing its infrastructure and arresting key individuals behind the cybercrime scheme, the FBI believed they had hindered the WarzoneRAT malware operation.

However, recent observations by Cyble Research and Intelligence Labs (CRIL) suggest otherwise, as new instances of the WarzoneRAT, also known as , have been identified in the wild.

WarzoneRAT Rejoins the Dark Web World 

According to Cyble Research & Intelligence Labs (CRIL), the latest wave of WarzoneRAT activity appears to be tied to tax-themed spam emails, exploiting unsuspecting victims with cunningly disguised attachments. 


In one instance, the attack chain begins with a compressed attachment, concealing a malicious LNK file disguised as a PNG image. Once executed, this LNK file triggers a series of PowerShell commands, ultimately leading to the deployment of WarzoneRAT via a multi-stage process involving VBScript and Reflective loading techniques.


Another method observed in the campaign involves the use of a ZIP archive containing seemingly harmless files, including a legitimate EXE, a malicious DLL, and a PDF document. Upon execution of the legitimate EXE, the malware employs DLL sideloading to load the malicious DLL, thereby initiating the WarzoneRAT infection process.

WarzoneRAT AKA Avemaria Leverage Stealth 

The sophistication of these attacks lies in their multi-faceted approach, which includes obfuscation techniques, evasion tactics, and the utilization of reflective assembly loading to inject the malware into legitimate processes such as RegSvcs.exe. By dynamically loading payloads during runtime and evading detection mechanisms, the attackers behind WarzoneRAT demonstrate a keen understanding of cybersecurity vulnerabilities.


Furthermore, the choice of tax-themed spam emails as a delivery mechanism highlights the attackers' efforts to exploit users' trust and anticipation. By leveraging familiar themes, such as tax-related documents, threat actors increase the likelihood of successful infections, thereby maximizing the impact of their malicious campaigns.

Despite the FBI's previous intervention, WarzoneRAT has proven adamant, adapting its tactics and techniques to evade detection and continue its malicious activities. By employing a combination of obfuscation techniques, evasion tactics, and themed social engineering, threat actors aim to maximize the effectiveness of their attacks while complicating the efforts of defenders to detect and mitigate them.

The Rise and Fall of WarzoneRAT 

Source: FBI

Warzone RAT first emerged as a formidable remote access trojan (RAT) in January 2019, quickly gaining notoriety as a top malware strain by 2020. Operating under the disguise of a legitimate commercial IT administration tool, it was sold as a malware-as-a-service (MaaS) by an online persona named Solmyr, offering affordable plans starting at $37.95 per month. 

Warzone RAT harbors malicious intent, serving as a powerful with advanced stealth and anti-analysis capabilities. However, on February 9, 2024, a crucial operation targeted Warzone RAT and its operators as a part of an international effort led by the FBI, with support from Europol and the Joint Cybercrime Action Taskforce (J-CAT). 

The operation resulted in the seizure of internet domains, including http://www.warzone.ws, known for selling the Warzone RAT malware. This move aimed to disrupt cybercriminal activities facilitated by the RAT, including unauthorized access to victims' systems, keystroke logging, screenshot capture, and unauthorized webcam access.

The crackdown also led to the arrest of two suspects in Malta and Nigeria on February 7, 2024, accused of selling the malware and aiding cybercriminals in their malicious endeavors. Despite these interventions, cracked versions of Warzone RAT continue to circulate on darknet forums, supplemented by instructional videos facilitating its deployment and command-and-control (C2) administration.

Warzone RAT has been implicated in numerous threat actors' campaigns, targeting geopolitical entities such as India's National Informatics Centre (NIC) and being utilized by the Confucius APT group against governmental institutions in mainland China and South Asian countries. 


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button